Overview

overview

10

Static

static

10

2d59911040...18.exe

windows7-x64

10

2d59911040...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d59911040a480a6fbddb59a1d66ad8f_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    2d59911040a480a6fbddb59a1d66ad8f

  • SHA1

    b97065e561f6fb69d16932473e5dd039ef2b842d

  • SHA256

    8ab99ac368b338310cb1e130d9971aedcdd3b79e5c7143e8b4b0a8ce894f9c78

  • SHA512

    c85a1b5faf249f186515a222a5e931de6ebbce2f4d3f09460761e2a9a114ca7bfae6dc55c80a3aa0b1688136d5419afbfff909311a23e13b514fbd2ab94859ed

  • SSDEEP

    3072:Kt38mD9P3ILbi4eTMlwDCnumOtbzl9j0G:KdNBPAbnWJmOhb

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\d45492m9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion d45492m9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DFB2CE7DF69740DB 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DFB2CE7DF69740DB Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: nPe2YJRmlar8wYqQc9RBCkYESNSb0LmHhZL4AiT3TSpikQj1bI7xuK+rE7I6vTxH 6V9o2V6ZoMF/nbct1g4itM4mUIrY61A3AUAe3b41P4felmRoBEx6KS05VPp12/iC Iz5h/I0bnx6VRiTASXETrP41YAm7MLLmwZ7ua9lcRerQfOORukSaZ1gmNquVV0Jp PyBd0BkSFzAr3yEREG8sCv+sqno6+SvNjrgtvB3dCtnpqVLFFH11Q9XBNFKrbrYu z/nR/awpdgUjLSVWSirJNc5JHkuQH/+E4fH31pR30WVdHKFnqZrZC4hwozIIXli7 Hl58xC9SRbO/1JCxhaD8qAsTr9eqVmdFYVx/1cxmLWjM3j2B6uzxPd1tMZcskvd1 mRv6nVmSMjNz5JT9u3mqQpHkh/qe8rBdcCYmoRNDSB1gCfs+aVaNAiTsffexTu7B Kg5D3l1GCfXaBBVfnt14t9MVn9HEcWB9om2GfLHeOvV25BDgMegU3cS6qVf0xbvG PVPNXhXUPThBv0wvDO6YKpn0QNZd1FkVZDMbUA0IsHCOnlGaSjqH6P8TsK5YtJCN t1VxIcKqZrgi+aMBdoYcrN7c6xu2oZJ9dlDdjLctgUksrOlFTHlKB9Nrj28oypRC hdHi5TC/tiH2MJDpm+Js6/09wgbAxAOGaiAwhJnHYRlBLpiOZwFKxrx4FywLNscG bvZCASwACJ+WGAUFnC2WYZ8lNj3v7dcU7x/NPtZPzpSDoGmoA2oryXt4VUyxp6br 5du/2G8sd8r2NhSHRj+/3da669dAZF1/5fGbBhfsiQl6ZuLd+HYuGKa70flRsR2D PJHltlfh8/DrL5y2rZKEm2aopaT7oA6QE/IpQD8+x2+29kH5UxY4Egib3Cp8bFaA KUbCaQys0wvcT8yOrnZcpbVk6iyVAt1e717yFm6bSXRKAQ+7EaxBWo+Q7aFfE9dG zI5egO2RiGgoxWylidIuwzFsYMJ9VlM4R++QLevnw28BfRoHw6YRH2ddEBYAvJ+n 86W2RSu/jVT/dAt0HYSuXGIyc59o6B+TVCtiaCPZhxEsAIBFlkEFqfo9tKOKONIe O8MZFDj+krbq3rs7XbFuIJ8Faa1ojH/78eMyfMTSNos2U5O45ED0AOGJ9+y3Go6a KPDuoCo3JhUwcmPMGmXScUA9ztdU6MbPrau8EaKUXYLLTGyDpp6KsvRdxuLrAmZr jkp9KLV77lDI/W4cEErlh/1W Extension name: d45492m9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DFB2CE7DF69740DB

http://decryptor.top/DFB2CE7DF69740DB

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 27 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d59911040a480a6fbddb59a1d66ad8f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2d59911040a480a6fbddb59a1d66ad8f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:2236

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\d45492m9-readme.txt
      Filesize

      6KB

      MD5

      2dc84ffe5c9defabf2da1a9b1b4bbdd2

      SHA1

      b7221b13cfed21d4c8f649c6dbd43d106e23bd82

      SHA256

      e00302a60b7a47d50ad296ec12dfd0eda442cdf2b4d388d06a59d2ac3feadf82

      SHA512

      be7ba628a324cb54a07fbba465ffd11f48530bf77126a6805e09ed65302aac1a4171da1c20acebf96fd4e39c498dc7d50f89b6d6960137241b5e8db037dd1598

      Download Submit